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Abstract — Let N(d,d ± ) denote the minimum length n of a 
linear code C with d and d , where d is the minimum Hamming 
distance of C and d x is the minimum Hamming distance of C x . 
In this paper, we show a lower bound and an upper bound on 
N(d,d J -). Further, for small values of d and d x , we determine 
N(d,d ± ) and give a generator matrix of the optimum linear 
code. This problem is directly related to the design method of 
cryptographic Boolean functions suggested by Kurosawa et al. 

Index Terms — Boolean function, dual distance, linear code, 
minimum distance 



I. Introduction 

One of the fundamental problems in coding theory is to find 
the minimum length of linear codes for the given minimum 
Hamming distance d and the given number of codewords K, 
where the length of a linear code means the length of the 
codewords. 

In this paper, we study a variant of this problem: find 
the minimum length of linear codes C which achieves the 
given minimum Hamming distance d and the given minimum 
Hamming distance d 1 - of C^, where C x denotes the dual code 
of C. Note that the number of codewords K is replaced by the 
minimum Hamming distance d 1 - of C 1 - in our new problem. 
This problem is interesting not only theoretically but also 
practically: it is directly related to the design of cryptographic 
Boolean functions as follows. 

Block ciphers must be secure against various attacks, in 
particular against differential attacks [3] and linear attacks 
[10]. The security of block ciphers is often studied by viewing 
their S-boxes (or F functions) as a set of Boolean functions. 
We say that a Boolean function f(x) satisfies (propagation 
criteria) PC(i) [12], [13] if f(x) + f(x + A) is uniformly 
distributed for any A with 1 < wt(A) < I, where wt(A) 
denotes the Hamming weight of A. 
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It is clear that PC{£) is directly related to the security 
against differential attacks because A is the input difference 
and f(x) + f(x + A) is the output difference of /. Also, 
f(x) is a bent function [9, Chapter 14] if and only if f(x) 
satisfies PC(n) [13], where a bent function has the largest 
distance from the set of affine (linear) functions. Hence PC(n) 
is directly related to the security against linear attacks. The 
famous strict avalanche criterion (SAC), which was introduced 
as a criterion of the security of S-boxes [14], is equivalent to 
PC(1). 

More generally, we say that f(x) satisfies (extended propa- 
gation criteria) EPC{£) of order k [12], [13] if f(x) satisfies 
PC(£) even if any k bits of x = (xx, • • • , x n ) are fixed to 
any constant bits. (We remark that many authors refer to EPC 
as just PC, including [8].) For example, SAC(fc), which is a 
generalized version of SAC, is equivalent to EPC(1) of order 
k. As shown above, EPC (£) of order k is a more generalized 
security notion of cryptographic Boolean functions. 

Kurosawa et al. [8] gave the first construction method of 
EPC(£) of order k based on the Maiorana-McFarland con- 
struction (see [7]). They showed that there exists an EPC(£) 
of order k function f(x%, ■ ■ ■ , x n ) if there exists a linear code 
C such that d = k + 1, d^ = £ + I and the length of C is 
n/2, where d is the minimum Hamming distance of C and d 1 - 
is the minimum Hamming distance of C x . Carlet generalized 
this construction to nonlinear codes [5]. 

We now ask, given k and £, what is the minimum n for 
which EPC(£) of order k functions f(x\, ■ ■ ■ , x n ) exist ? In 
the design method of Kurosawa et al. [8], this is equivalent 
to saying that, given d and d^, find the minimum length n 
of a linear code C with d and d^. Note that this problem is 
exactly the same as the one mentioned at the beginning of the 
introduction. 

More formally, let N(d,d ± ) denote the minimum length n 
of a linear code C with d and d^, where d is the minimum 
Hamming distance of C and d 1 - is the minimum Hamming 
distance of C x . We then want to find N(d,d ± ) for given 
d and d x . In this paper, we show lower bounds and upper 
bounds on N(d,d ± ). Further, for small values of d and c? x , 
we determine N(d, d^) exactly and give a generator matrix 
of the optimum linear code. 

This paper is organized as follows: In Section 2, we 
introduce relevant concepts and notations. In Section 3, we 
propose upper bounds on N(d, d x ). In Section 4, we propose 
lower bounds on N(d, show true values of N(d, d- 1 ), and 
compare the proposed bounds with the true values. In Section 
5, concluding remarks are given. 
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II. Preliminaries 



III. Upper Bound 



A. Notation 

We use / to denote a Boolean function {0, 1}" — > {0, 1}, 
and <fi to denote a function {0, 1}" — > {0, l} m , where m < n. 
We use a; to denote (xi , • • • , x n ), where ajj is a binary variable. 

Let • denote the inner product of two binary vectors over 
GF(2). For a set A, \A\ denotes the cardinality of A. 

Let a linear [n, m, d] code denote a binary linear code C of 
length n, dimension m and the minimum Hamming distance 
at least d. The dual code C of a linear code C is defined as 
C 1 " = {u \ u ■ v = for all u G C} . The dual distance d 1 - 
of C is defined as the minimum Hamming distance of C^. 



B. Resilient Functions 

Definition 1: We say that <f> : {0,1}™ -» {0,l} m is 
an (n, m, fc)-resilient function if <£(xi, • • • , x n ) is uniformly 
distributed even if any k variables Xi t , ■ ■ • , are fixed into 
constants. That is, 

Pt[4>(xi, ... , x n ) = [yi, . ■ ■ , Vm) \ X^Xi 2 ■ ■ ■ Xi k = a] = 2~ m 

for any k positions i\ < ■ ■ ■ < i/., for any fc-bit string 
a G {0, l} k and for any fixed (yi, • • • , y m ) G {0, 1}™, where 
the values Xj (j $ . . . , are chosen independently at 
random. 



C. EPC(£) of order k 

Define the derivative of / : {0, 1}" -> {0, 1} by 

F>aJ = f{x) + f(x + A) 

for A G {0,1}". 

Definition 2: [12], [13] We say that a Boolean function / : 
{0, 1}™ -> {0, 1} satisfies EPC{£) of order k if D A f is k- 
resilient for any A G {0, 1}" with 1 < wt(A) < I. (We also 
say that / is an EPC(t) of order k function.) 

Kurosawa et al. gave a general method to design EPC(£) 
of order k functions by using a linear code [8]. 

Proposition 3: Suppose that there exists a linear [n, m,k + 
1] code C with the dual distance at least £ + 1. Then there 
exists an EPC(£) of order k function / : {0, l} 2 " -> {0, 1}. 

Remark 4: The construction of [8] is essentially quadratic 
in nature with a non-quadratic 'offset' part. After [8], Carlet 
[5] showed a construction which uses nonlinear Kerdock and 
Preparata codes as an improvement. It gives non-quadratic 
Boolean functions not just in their offset part. 

Define N(d,d ± ) as the minimum n such that there exists 
a linear [n,m,d] code C with the dual distance at least d^. 
Then N(k + 1, 1 + 1) is the minimum n such that there exists 
a EPC{£) of order k function / : {0, l} 2 " -» {0, 1} in the 
design method of Kurosawa et al. We will consider the upper 
and lower bounds on N(d,d ± ), and also determine the true 
values of N(d, d ) for small d and d . 



In this section, we show upper bounds on N(d,d ± ). The 
first bound is based on a Gilbert- Varshamov type argument [9, 
pp. 557-558]. 

Definition 5: 

S n:in = {C | C is an [n,m] linear code}, 

S n , m (v) = {C G S ntm \ C 3v}, 

S«,t» = {C G S n , m I C x 3 v} 
Lemma 6: For a nonzero vector v G GF(2) n , we have 

\S n , m (v)\ _ 2™-l 



| $n,m | 

K m (v)\ 



2 n - 1 ' 
2 n— m 2. 



(i) 

(2) 



I^V^m! 2 n 1 

Proof is given in Appendix H] 

Theorem 7: There exists an [n, m, d] binary code with the 
dual distance d if 



1 d-l / 
I \ ^ / n 



2™ - l ^ \ i 

i=l 



1 x ^ / n 



2" - 1 ^ 

i=l 



< 1. 



N(d,d J -) is upper bounded by the minimum n satisfying the 
above inequality. 

Proof: The required code exists iff 

m (v) U [J S'n.mW' 

l<«)t(w)<d— 1 l<«;t(ii)<d i -l 

The cardinality of the right hand side is less than or equal to 

E Km(v)\ 0) 

l<wt(v)<d-l l<wt(v)<d ± -l 



< 




\S r , 



by Lemma |6] Thus, if the assumption of the theorem is 
satisfied, the required code exists. ■ 
We also introduce another upper bound. 

Proposition 8: 

N(d - 1, d^) < N(d, d^) - 1 (for d > 2), (4) 
N(d, d x - 1) < N(d, d^-) - 1 (for d 1 - > 2). (5) 
Proof: Let C be a linear code attaining N(d, d ), and 
C" be the punctured code of C. Then C" has the minimum 
distance at least d — 1 and the dual distance at least d x , 
which proves Eq. @. Equation is proved by considering 
the punctured code of C . ■ 

IV. Lower bounds 

In this section, we give four lower bounds on N(d, d- 1 ). The 
first two are immediate applications of the Griesmer bound 
and a well-known fact of MDS codes. The third is based 
on an improvement to the Hamming bound. The fourth is an 
improvement to Brouwer's bound [4] based on the solvability 
of a system of linear inequalities [6]. 
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A. Bounds based on the Griesmer bound and the result in 
MDS codes 

Proposition 9 (Griesmer): [9, Section 17. §6] If there exists 
an [n, m, d] linear code, then 



a 



Theorem 10: 



i=l 



N(d, d^ > min[n : 2n > d + d A 



mm 

m=l,...,7i — 1 



E 



(6) 



Proof: If there exists an [n, m, d] code with dual distance 
d- 1 , then by the Griesmer bound we have 



2n>d + d ± 



E 



(7) 



Since N(d,d ± ) is the minimum n such that there exists a 
linear code of length n, minimum distance d and dual distance 
d- 1 , 2N(d, d^) is lower bounded by the minimum of the right 
hand side of Eq. Q over possible n and m. ■ 

Remark 11: It is well-known that the simplex codes attain 
the Griesmer bound. However, they do not attain Eq. 0. 

The Singleton bound is a corollary to the Griesmer bound 
and has a simpler expression. It states that if there exists an 
[n, m, d] code then m < n— d+l. When the code is binary and 
d > 3, it can be tightened to m < n — d [11]. The first part of 
the following result can be seen as a corollary to Theorem 1 101 

Theorem 12: 



N(d, d ) >d + d A 
When d > 3 and d 1 - > 3, we have 1 



(8) 



N(d,d ± )>d + d J -. (9) 
Proof: Adding m < N(d, d 1 -) - d + 1 and N(d, d x ) - 
m < N(d, rf- 1 ) — d 1 - + 1 shows Eq. l|8). A similar argument 
shows Eq. l|9). ■ 

B. Bound based on an improved Hamming bound 

In this subsection, we will introduce an improvement to the 
Hamming bound, and derive a lower bound on N(d, d^) as a 
corollary. 

Definition 13: For positive integers d and n, we define the 
function £(n, d) by 

( (d-l)/2 , v 

£ r for odd d, 



£{n, d) 



i=0 
d/2-1 



" ( ., I f°i" even d- 

Discrete random variables X\, . . . , X n are said to be <i-wise 



E 



independent if 



Pr[X ix =x h ,..., X ld = x ld ] = J] Pr[X^ = 

3=1 

'This improvement was pointed out by an anonymous reviewer. 



for all d-tuples of indices . . . , ij) and all realizations (x^, 
. . . , x.i d ) of random variables. 

Lemma 14: [1, Proposition 6.4] Let X\, . . . , X n be (d— 1)- 
wise independent nonconstant random variables that map the 
sample space £1 to {0, 1}. Then we have |f2| > £(n,d). 

Theorem 15: For an [n, m, d] linear code C, we have 
2 n - ,n > £{n, d). 

Proof: Let H be a parity check matrix for C, and h{ be its 
i-th column. Consider the sample space £1 = GF(2) n ~ m and 
the random variable Xi that maps v G £1 to the inner product 
of v and hi. Since any (d — 1) columns in H are linearly 
independent, the random variables X\, X n are (d — 1)- 
wise independent with the uniform probability distribution on 
a By Lemmad 2""™ = > £(n, d). ■ 

Observe that Theorem [21 is an improvement to the Ham- 
ming bound when d is even. 

Corollary 16: 

N(d, d" 1 ) > min{n | n > log 2 £(n, d) + log 2 £(n, d 1 -)}. 
Proof: If there exists an [n, m, d] linear code with dual 
distance d- 1 , then by Theorem 1 151 



2 n - m -2 m >£(n,d)-£(n,d ± ) 
n > log 2 £(n, d) + log 2 £(n, d 1 -). 



(10) 



Since N(d,d ± ) is the minimum n such that there exists a 
linear code of length n, minimum distance d and dual distance 
d^, N(d, d ± ) is lower bounded by the minimum of the right 
hand side of Eq. fl!0l > over possible n. ■ 

C. Bounds based on linear inequalities 
For a linear code C, define 

A w = \{c e C : wt(c) = w}\, 
A' w = \{ceC ± :wt{c)=w}\. 

We have [9, Section 5. §2] 

where P w (i) is the Krawtchouk polynomial defined by 



1 " 

7777 E AiP w (i), 
' ' i— 1 



Pw(i) 



E(-^' ; 



u — t 
J J \w - j 



For it; = 1, . . . , n, we must have A' w > 0. When the code 
C has minimum distance d, we have A\ = A 2 = • ■ • = 
= 0. We also have A{ = ■ ■ ■ = A' d± _ 1 = if C has 
dual distance d^. Therefore, if there exists a linear code of 
length n, minimum distance d and dual distance d^, then there 
exists a solution Ad, . • • , A n to the following system of linear 
inequalities: 

Ai > for i = d, . . . , n, 
YTi^AiP^i) = -m far «; = !,..., d- 1 -!, 



for w = d 



(11) 

Theorem 17: [4] N(d,d ± ) is greater than or equal to the 
minimum n such that there exists a solution to the above 
system of linear inequalities. 



4 



We will add other constraints to Eq. (II It . Since we consider 
linear codes, there must exist an integer solution (Ad, . . ., A n ) 
with Ad + • • • + A n = 2 m — 1 for some nonnegative integer 
rn. 

A binary linear code is said to be even if all codewords have 
even weight. We call a code odd if it is not even. When the 
code C is odd, then there is the same number of even weighted 
codewords and odd weighted ones. Moreover, the dual code 
C does not contain the codeword with all 1, otherwise C is 
even. Therefore, if the code C is odd, then we have 



Eleven ^ 

A~ 



Sj : odd 
0. 



A, 



(12) 



When the code C is even, then the dual code C contains 
the codeword with all 1, and we have A\ = A' n _ i , because 
there is one-to-one correspondence between codewords with 
weight i and weight n — i by adding the all 1 codeword. 

Furthermore, we have the following inequality [4] when C 
is even: 

n 



4|j 



i=0 



where A\i denotes that 4 divides i. Summing up, the evenness 
of C implies 



A, 



0, for i = 1,3, 5, 



4' 

A' 



1, 
AL 



(13) 



By exchanging the role of C and C^, we see that the 
oddness of C implies 



even 



A n = 0. 
and that the evenness of C implies 



:odd 



4' 



(14) 



A[ = 0, for i = 1,3,5, 

A n = 1 j 

Ai — A n —i. 



(15) 



When we estimate N(d,d ± ) and d is even, the code can 
be either odd or even, and we search a solution for either 
Eq. H2\ or dl3l >. When d is odd, the code is odd and we 
search a solution for Eq. i\2i only. The same rule applies to 

d ± . 

Remark 18: We remark on the computational complexity 
on the bound presented in this subsection. When we require 
Ad, ■ ■ ■ , An to be integers, we have to solve an integer 
programming problem for which there is no known polynomial 
time algorithm in the number of variables [2, Section 11.8]. 
When we allow Ad, ■ ■ ■ , A n to be any real numbers, we solve 
a linear programming problem that can be solved in roughly 
0((n — d) 5 ) arithmetic operations [2, Section 9.3]. In both 
case, it quickly becomes difficult to compute the lower bound 
for large n. 



D. Numerical Examples 

In this subsection, we give numerical examples of the 
derived bounds in Table [I] An entry x in Table U means that 
N(d,d ± ) > x for the lower bounds, and N(d,d ± ) < x for 
the upper bound. True values of N(d,d ± ) are also listed, 
which are obtained by exhaustive search. Generator matrices 
of codes attaining N(d,d ± ) are listed in Appendix HJ We 
could not determine the true values of N(d, d- 1 ) by exhaustive 
search with (d, d 1 - ) not listed in Table U We remark that 
N(2,S) = N(S,2) = S because the trivial [5,1,5] code has 
dual distance 2. 

From Table U we can make the following observations. 
Lower bounds are increasing in order of Corollary The- 
orem [n] and the improvement of Theorem ^] in Sec. IIV-CI 
Theorems ^| and [21 give smaller lower bounds. The upper 
bound in Theorem Q is very loose for small values of d and 
d^. This looseness seems to come from the fact that many 
elements are counted several times in Eq. Q- 

Additional constraints in Sec. IIV-CI give the true values 
of N(d,d ± ) as a lower bound except for (d, d- 1 ) = (5,5). 
They also improve Theorem 1171 in the parameters (d, d- 1 ) = 
(5,3), (5,4), (6,3), (6,4), (6,5), (6,6). These improvements 
significantly reduced the required time for exhaustive search. 

V. Conclusion 

In this paper, we considered the minimum length of lin- 
ear codes with specified minimum Hamming distances and 
dual distances, from which cryptographic Boolean functions 
are constructed. We obtained an upper bound by a Gilbert- 
Varshamov type argument, and lower bounds by applying the 
Griesmer, the Hamming, and the linear programming bound. 
The true values for the minimum length are also determined 
by exhaustive search for certain range of parameters. These 
lower bounds and true values are useful for estimating the 
necessary input length of cryptographic Boolean functions for 
given cryptographic strength. This paper also demonstrated 
that the upper bound proposed herein is too loose, and it 
remains an open problem to derive a tight upper bound. 
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Appendix I 
Proof of Lemma^] 

Lemma 19: For nonzero vectors u, v G GF(2) n , we have 

\S n , m (u)\ = \S n , m (v)\, (16) 

K m (u)\ = \S n , n - m (u)\, (17) 

l^ m (n)| = \S r { m (v)\. (18) 
Proof: We define the group GL n as the set of bijective 
linear maps / on GF(2) n . In the following equation, S n . m 3 
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TABLE I 

True values and estimates of N(d, d ± ) by the derived bounds 



d 




true 




lower bounds 




upper 






value 












bound 








Thm.1121 


Thm.llOl 


Cor. 1161 


Thm.1171 


Sect.HV-CI 


Thm.|7] 














(con- 


















ven- 


















tional) 






3 


3 


6 


6 


5 


6 


6 


6 


17 


4 


3 


7 


7 


6 


7 


7 


7 


21 


4 


4 


8 


8 


7 


8 


8 


8 


25 


5 


3 


11 


8 


7 


9 


10 


11 


24 


5 


4 


13 


9 


8 


11 


11 


13 


29 


5 


5 


16 


10 


11 


14 


14 


14 


34 


6 


3 


12 


9 


8 


10 


11 


12 


28 


6 


4 


14 


10 


9 


12 


12 


14 


33 


6 


5 


17 


11 


12 


15 


15 


17 


38 


6 


6 


18 


10 


13 


16 


16 


18 


42 


7 


3 


14 


10 


9 


12 


14 


14 


31 


7 


4 


15 


11 


10 


14 


15 


15 


37 


8 


3 


15 


11 


10 


14 


15 


15 


35 


8 


4 


16 


12 


11 


15 


16 


16 


40 



C\ is a fixed linear code, and g is a fixed bijective linear map 
on GF(2) n such that g(v) = u. 

= \{C e S n , m \C3u}\ 

= {/(Ci) I /(Ci) 3u,fe GL n }\ 

= \{f(C 1 )\f(C 1 )3g(v)JeGL n }\ 

= \{g- 1 of{C l )\g- 1 of{C l )3v 1 feGL n }\ 

= {/(Ci) | f(Ci) 3 v,f e GL n }\ 

= ISrijmCf)!- 

Equation d!6i is proved. 

By taking the dual code, we see that there is a one-to-one 
correspondence between 5 n , m and 5 n , n _ m , and we have 

= \{CeS n , m \C ± 3u}\ 
= \{Ce S„, n _ m \Csu}\ 

— I $n,n— m (^) I ) 

which proves Eq. (I17> . Equation Jl 81 is deduced from 
Eqs. (CB and O- ■ 
Proof of Lemma |6| Let B be the set of a pair of a nonzero 
vector u and C G SVi.m such that ticC. For each C G .SV^m, 
there are 2 m — 1 nonzero vectors it such that u 6 C, and we 
have |B| - (2 m - l)|5„, m |. 

For each nonzero vector u there are \S n ,m( u )\ linear codes 
C such that u E C, and we have 

|B| = \ S n,m(u)\ = ( 2 " " l)|Sn,m(t;)| 

by Eq. (I16> . Thus Eq. Q is proved. Equation (0 follows from 
Eqs. O and Q. ■ 

Appendix II 
Linear codes attaining 7V(ci, d^) 

In this Appendix, we give the name or generator matrices 
of linear codes attaining N(d,d ± ). Matrices are generator 



matrices of linear codes attaining N(d,d ± ) unless otherwise 
specified. 

N(3, 3) = 6: Attained by the [6, 3, 3] shortened Hamming 
code. 

iV(4,3) = 7: Attained by the [7,4,3] Hamming code. 

JV(4, 4) = 8: Attained by the [8, 4, 4] extended Hamming code. 

iV(5,3) = ll: 









/ 1 




















1 


1 


1 


1 



















1 











1 


1 








1 


1 






















1 





1 





1 





1 





1 
















V o 








1 


1 


1 





1 





1 





1 








/V(5,4) 




= 13 
































/ 1 


























1 


1 


1 




1 \ 











1 














1 


1 


1 













1 
















1 








1 





1 


1 





1 


1 
























1 





1 


1 





1 


1 





1 













V 














1 


1 


1 


1 





1 


1 







1 


) 




AT(5,5) 




= 16 






























/ 1 



































1 


1 




1 


1 





i 


























1 


1 










1 


1 








1 




















1 





1 





1 







1 











1 

















1 


1 





1 







1 

















1 











1 








1 





1 




1 




















1 








1 





1 





1 







1 


1 




















1 





1 


1 





1 


1 







1 


1 


V o 




















1 


1 


1 


1 





1 


1 







1 


AT(6,3) 




= 12 


































/ 1 




















1 


1 


1 


1 


1 

















1 











1 


1 








1 


1 


1 




















1 





1 





1 





1 





1 


1 












V o 








1 


1 


1 





1 





1 





1 


J 
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iV(6,4) = 14: The generator matrix of its dual code is 





( 1 
































1 


1 


1 \ 











1 


























1 





1 


1 














1 
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= 17 


: The generator matrix of its 


dual code is 
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7V(6,6) = 


= 18: 
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N(7,3) 


= 14: Attained by the [14, 4, 7] 


punctured simplex 




code. 
































N(7,4) ■■ 


= 15: Attained by the [15, 5, 7] punctured first order 



Reed-Muller code. 

iV(8, 3) = 15: Attained by the [15,4,8] simplex code. 
iV(8,4) = 16: Attained by the [16,5,8] first order Reed- 
Muller code. 



[10] M. Matsui, "Linear cryptanalysis method for DES cipher," in Advances 
in Cryptology - EUROCRYPT '93, ser. Lecture Notes in Computer 
Science, vol. 765. Springer- Verlag, 1994, pp. 386-397. 

[11] V. S. Pless, W. C. Huffman, and R. A. Brualdi, "An introduction to 
algebraic codes," in Handbook of Coding Theory, V. Pless and W. C. 
Huffman, Eds. Amsterdam: Elsevier, 1998, pp. 3-139. 

[12] B. Preneel, R. Govaerts, and J. Vandewalle, "Boolean functions satis- 
fying higher order propagation criteria," in Advances in Cryptology — 
EUROCRYPT '91 Proceedings, ser. Lecture Notes in Computer Science, 
vol. 547. Springer- Verlag, 1991, pp. 141-152. 

[13] B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and 
J. Vandewalle, "Propagation characteristics of Boolean functions," in 
Advances in Cryptology — EUROCRYPT '90 Proceedings, ser. Lecture 
Notes in Computer Science, vol. 473. Springer- Verlag, 1991, pp. 162— 
173. 

[14] A. F. Webster and S. E. Tavares, "On the design of S-boxes," in 
\ Advances in Cryptology — CRYPTO '85 Proceedings, ser. Lecture Notes 
in Computer Science, vol. 218. Springer- Verlag, 1986, pp. 523-534. 



/ 



1 \ 

1 

1 

1 

1 



1 
1 

0/ 



REFERENCES 

[1] N. Alon, L. Babai, and A. Itai, "A fast and simple randomized parallel 
algorithm for the maximal independent set problem," J. Algorithms, 
vol. 7, no. 4, pp. 567-583, Dec. 1986. 

[2] D. Bertsimas and J. N. Tsitsiklis, Introduction to Linear Optimization. 
Nashua, NH, USA: Athena Scientific, 1997. 

[3] E. Biham and A. Shamir, "Differential cryptanalysis of DES-like cryp- 
tosystems," in Advances in Cryptology - CRYPTO '90, ser. Lecture 
Notes in Computer Science, vol. 537. Springer- Verlag, 1991, pp. 2-21. 

[4] A. E. Brouwer, "The linear programming bound for binary linear codes," 
IEEE Trans. Inform. Theory, vol. 38, no. 2, pp. 677-680, May 1993. 

[5] C. Carlet, "On cryptographic propagation criteria for Boolean functions," 
Inform, and Comput, vol. 151, no. 1-2, pp. 32-56, May 1999. 

[6] P. Delsarte, "Bounds for unrestricted codes, by linear programming," 
Philips Res. Rep., vol. 27, pp. 272-289, 1972. 

[7] J. F. Dillon, "Elementary hadamard difference sets," Ph.D. dissertation, 
Univ. of Maryland, 1974. 

[8] K. Kurosawa and T. Satoh, "Design of SAC/PC© of order k boolean 
functions and three other cryptographic criteria," in Advances in Cryp- 
tology - EUROCRYPTO'97, ser. Lecture Notes in Computer Science, 
vol. 1233. Springer-Verlag, 1997, pp. 434^149. 

[9] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting 
Codes. Amsterdam: Elsevier, 1977. 



